Despite significant technological progress in addressing complex security threats, the key to preventing the next attack lies in adhering to fundamental security principles. It’s essential to ensure the software ecosystem is secure, focusing on protecting .NET developers who design, build, and maintain the critical software we all use.

As the home to one of the world’s largest developer communities, NuGet is in a unique position to help improve the security of the software supply chain. In 2022, we launched several initiatives aimed at enhancing supply chain security and prioritizing the protection of developers.

In the past year, NuGet expanded by over 52,000 unique packages, a 15% increase, and saw 176 billion package downloads, up 58%. Alongside this growth, security challenges have also increased. Last year, NuGet had 267 security advisories; now, that number has doubled to ~616, affecting thousands of widely-used package versions.

OSS Secure Software Supply Chain Growth 📈

However, NuGet is not alone in facing these issues. The entire software supply chain is experiencing similar growth and challenges. According to the recent SonaType State of the Software Supply Chain report, it highlights:

• 1/8 OSS downloads have known risk.
• ~245,000 malicious packages have been discovered in 2023 – 2x all previous years combined.
• ~19% of OSS that were maintained in 2022, are not maintained today.
• 67% of consumers feel confident that their applications do not rely on known vulnerable libraries despite 10% reporting a security breach caused by OSS.
• ~96% of known vulnerabilities have a fixed version available as they are disclosed.

Security remains a crucial concern in today’s world as new supply chain attacks are discovered daily, featuring sophisticated tactics that target central registries and keep their maintainers on high alert. In an environment where applications rely on thousands of dependencies, software security extends beyond just your own code to encompass every piece of code you depend on. It’s not unusual for 90% of the code in applications to come from open source dependencies. Developers often cannot scrutinize every line of code in these dependencies. Open source relies on trust, and as a community, it often takes time to identify malicious packages and address them.

Noise and Signal ⚠️

Developers and security teams are overwhelmed by a deluge of non-essential alerts, leading to vulnerability fatigue. Additionally, there are inherent limitations in the security tools available, including those we provide such as:

• High frequency of false positives.
• Inclusion of “unreachable” vulnerabilities, or code that is never executed.
• Reporting of developer dependencies.
• Exaggerated severity ratings for known vulnerabilities.
• Failure to detect ongoing supply chain attacks or malicious dependencies.

In our role as developers, it is critical to adopt a proactive security stance that goes beyond mere compliance, ensuring the integrity and origin of the packages we use. By vigilantly monitoring for vulnerabilities and keeping our dependencies updated, we safeguard our software against threats. Additionally, maintaining transparency with our software dependencies and managing controlled environments help to mitigate the risk of security breaches. This integration of robust security practices into our software development lifecycle not only aligns with national security objectives, but also enhances the security posture across the software industry.

The cybersecurity landscape today is marked by a variety of sophisticated threats targeting both individuals and organizations. Methods such as social engineering and phishing scams exploit human vulnerabilities to steal sensitive information, including credentials. Attackers often compromise Continuous Integration and Continuous Delivery (CI/CD) pipelines, injecting malicious code before software deployment. They exploit system vulnerabilities to gain unauthorized access, targeting open-source components and dependencies, which are often more susceptible to attacks.

Techniques like typosquatting involve attackers registering domains or package IDs that mimic legitimate ones to deceive users. Insider threats also loom large, with disgruntled or malicious employees potentially misusing access to sensitive information. Furthermore, attackers hijacking cloud resources can utilize the scalable computing power of victim organizations for malicious purposes. Navigating this complex and dynamic attack landscape requires a vigilant and comprehensive approach to protect organizational assets.

What We’ve Done 👍

Today, let’s explore the various measures and features that the NuGet team has implemented over the years to enhance your security, while addressing the broad spectrum of security challenges we face together.

• HTTPS Everywhere. Ensures that all interactions with NuGet package sources are conducted over HTTPS, providing a secure channel that protects against unauthorized interception of data. This is critical for maintaining the integrity and confidentiality of software packages during transmission.
• Central Package Management. Allowing teams to manage NuGet packages centrally. This feature reduces the risks associated with inconsistencies and vulnerabilities that can arise from using outdated or unauthorized packages. It streamlines package updates and ensures compliance with security standards across all projects.
• Vulnerability Notifications. These notifications are essential for maintaining security, as they alert developers to known vulnerabilities within their dependencies. This proactive approach enables timely remediation, such as updating or replacing vulnerable packages before they can be exploited in an attack.
• Package ID Prefix Reservations. Prevents malicious actors from spoofing or mimicking trusted packages by ensuring that only authorized users can publish packages under a reserved prefix. This helps maintain trust in the package ecosystem by safeguarding package identity.
• 2FA Required. Requiring two-factor authentication for package publishers enhances security by protecting accounts from unauthorized access. This reduces the likelihood that a compromised account can be used to distribute malicious packages, thereby protecting the community and end users.
• Package Source Mapping. This feature allows developers to specify trusted sources for their package dependencies, effectively preventing the download of packages from untrusted or compromised sources. It is a key defense against supply chain attacks, ensuring that only safe, vetted packages are used in software development.
• Package READMEs. READMEs help you communicate with your community to help them understand how to report security concerns or policies that works best with your workflow and any other important security information regarding your package.
• Community Reporting. Our terms and community reporting mechanisms continue to evolve with the various security threats, impersonations, and unexpected behaviors happening on the registry. We rely on you, the community to help us keep the registry secure for everyone.

What Else Can We Do? 🤔

• Open ID Connect (OIDC). OIDC enhances security with robust authentication and enables convenient access across multiple services through single sign-on (SSO), making systems easier to use and more secure.
• Build Provenance. Build provenance offers transparency about the origins and history of software components, which improves security assessments and compliance with regulations.
• Verified Publishers. Provides an added layer of trust and security, ensuring that the software packages developers use come from reliable and vetted sources, thereby reducing the risk of malicious code entering the software supply chain.
• SBOMs (Software Bill of Materials). SBOMs provide a complete list of all software components, aiding in quick vulnerability management and ensuring compliance with software licenses.
• Automatically Remediate Known Vulnerabilities. Providing one-click/command experiences that will remediate known vulnerabilities in dependencies by upgrading them.
• Add Static Analysis to Reduce False Positives. Use of static analysis to understand whether a vulnerable code path is actually reachable.
• AI-assisted Security Tooling. Interact with a model to remediate common security challenges in your code.
• And much more!

Results 📈

We’re proud of the initial achievements from the 2022 initiatives, and the impact they’ll have on ensuring the software ecosystem is more secure. We saw:

• Two-factor authentication (2FA) adoption on NuGet.org has soared to 100% since requiring it, particularly among users who play crucial roles in the software supply chain.
• Significant decrease in the percentage of downloads of vulnerable packages from NuGet.org, thanks to the new features in .NET 8 and Visual Studio 17.8+ tooling that now alert users to security vulnerabilities.
• Immediate adoption of new security and usability features, such as Central Package Management and Package Source Mapping, in recent major open-source .NET projects.
• A positive response from the .NET community regarding the management of security challenges in packages.

Doing Your Part 👏

Most package downloads with known vulnerabilities could be avoided by choosing a better, already available fixed version. This should highlight the importance for organizations/individuals to carefully select their software versions and make strategic upgrade decisions throughout their project lifecycles.

Even after identifying a critical vulnerability, a substantial number of downloads still occur on vulnerable versions of these libraries. This is concerning and indicates that organizations/individuals need to change their behavior, as critical vulnerabilities are prime targets for exploitation by malicious actors.

By making wise upgrade choices, organizations can also realize significant savings. For example, a development team could save two weeks each year. For a medium-sized company with 20 development teams, this equates to saving 1,600 hours and $240,000 annually, assuming an hourly cost of $150. Additionally, this reduces the risk associated with using these packages.

Vulnerabilities often increase in packages that are popular and widely used. These popular packages draw attention from both positive and negative sources, increasing the chances of a critical issue arising. Typically, these packages have an established disclosure process, making their vulnerabilities more noticeable.

As the timeless advice from G.I. Joe reminds us, “knowing is only half the battle.” Both organizations and individuals must be proactive and use automated systems to effectively tackle these challenges. Here’s how to stay updated on security vulnerabilities in your projects with Visual Studio and NuGet, if you prefer a video, checkout:

Paying attention to Open Source 🔎

When selecting an open-source dependency for your project, it’s crucial to choose one that’s secure, compliant, and reliable. Here are some best practices to guide your decision:

Popularity: A dependency’s popularity can indicate its reliability and community support. Popular projects often have numerous users and contributors who frequently test, update, and secure the software. This high level of engagement typically means that issues like bugs and vulnerabilities are resolved quickly, enhancing the project’s stability and security.

Documentation and Coding Standards: Clear, comprehensive documentation and well-defined coding standards are vital. These elements make it easier for developers to understand, utilize, and contribute to the project, thereby reducing integration challenges and easing long-term maintenance.

Automated Updates: Choosing dependencies that support automated updates through tools like Dependabot can maintain software security and stability with minimal manual intervention, reducing exposure to vulnerabilities.

Active Maintenance: The activity level of a project is also a critical consideration. Avoid dependencies that lack recent updates or active maintenance, as they may pose security threats and leave you without support for resolving future issues.

Security Practices: Evaluate the project’s approach to security. Prefer projects that perform regular security audits, have a transparent security policy, and address vulnerabilities promptly.

License Compatibility: Ensure the project’s license is compatible with your project to prevent potential legal issues.

Project Maturity and Release Stability: Consider the project’s age and the stability of its releases. Older, well-maintained projects are likely to have undergone extensive testing and development, suggesting a mature and reliable option. Regular, stable releases indicate an actively maintained project.

By applying these criteria, you can effectively assess the suitability of integrating a specific open-source dependency into your project, ensuring it enhances your development process without increasing risk.

NuGet offers extensive metadata and best practices to guide your approach. Check out this informative video for a comprehensive overview:

Best Practices ✅

Keeping up with best practices can save you time and money when managing your dependencies. Below are some key best practices in package management, open source software, and software supply chains:

• NuGet Security Best Practices
• OpenSSF Guides
• The Journey to Secure the Software Supply Chain at Microsoft

How You Can Help 🤩

• For registry maintainers, begin implementing these new security practices.
• For package authors, start adopting these security best practices.
• For package consumers, take the initiative to educate yourself on these best practices.

We stand on the shoulders of giants, where estimates suggest that up to 90% of the code we run in production is open source. Now is a reminder to express your gratitude to these projects by supporting their ongoing maintenance and security, benefiting everyone.

For many of our initiatives, we publish open source design proposals and tracking issues. We welcome all sorts of feedback such as reactions, comments, and even evangelism to encourage others to do the same.

Summary 📦

Fundamental security principles are essential in fortifying the software supply chain and safeguarding .NET developers across the globe. NuGet is at the forefront of enhancing security, implementing critical initiatives such as HTTPS Everywhere, Central Package Management, and proactive vulnerability notifications. These measures are vital in managing the surge in package downloads and the significant increase in security advisories, ensuring our ecosystem remains robust and secure.

The challenges posed by open-source software downloads and the neglect of unmaintained OSS are significant, yet they offer an opportunity for collective action. By fostering community involvement in the creation of new security practices, we empower developers to contribute to a safer and more secure environment for all.